When something as fundamental as an agency-wide security program is missing, it's easy to understand why basic security controls are also absent and why employees don't understand the difference between safe and risky behavior.
Reporting information security failings of the U.S. government is like beating the proverbial dead horse. So when a recent GAO (Government Accounting Office) report asserted the failure of the IRS to implement fundamental security controls, I decided to take a different approach. I wanted to see what the underlying problem might be. I didn’t have to look far.
In a Networkworld.com article, Grant Gross quoted part of the report:
"IRS continues to, among other things, allow sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network, and grant excessive access to individuals who do not need it," the GAO report said. "Despite IRS’s progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information." Source: Auditor: IRS still vulnerable to cyber breaches, Grant Gross, IDG News Service, 9 January 2009
The report did say the IRS had made some progress, correcting 49 of 115 security problems found in November 2008. Yet I wonder what they actually fixed if things like least privilege and segregation of duties is still broken.
Why does an agency of the U.S. government still not have basic security controls in place? After years of audits, reported breaches, and general public angst regarding government’s ability to protect personal or national security information, what is it that prevents the IRS from doing the right things? The following, also from Gross’ article might shed some light.
…the IRS has not yet implemented an agencywide information security program, the GAO said. A program should include periodic risk assessments, testing of security procedures and security.
When something as fundamental as an agency-wide security program is missing, it’s easy to understand why basic security controls are also absent and why employees don’t understand the difference between safe and risky behavior.
No organization can achieve even the most fundamental security level unless it has clearly defined how to mitigate information system risk across all operational areas. So the first step when implementing security at any organization, whether public or private, is a management-supported security program. The policies and processes it contains, based on a well-defined security strategy, provide the framework upon which security controls and system design are built.
Until the IRS steps back and builds a program (I’m assuming they have a strategy), their efforts at protecting their data—our personal information—will be hit-or-miss. The same holds true for any organization which hasn’t taken the time to define what security means to its operations, to write policies and processes to support that definition, and create a solid awareness program so everyone understands management’s expectations.
Please tell us about your organization
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.